Hackers act on emotions, too, you know…

Hackers act a lot on emotions. But that doesn’t mean you should sympathize with them. The best hackers and scammers (lets call them attackers) understand YOUR emotions, and act on them to get you to do things you wouldn’t otherwise do.

You might think there are just a few ways that attackers (acting in a “social engineering” capacity) might try to trick you by making urgent requests, or threatening you with penalties if you don’t do what they ask. But you should be aware that they can use almost any emotion against you, especially if they know a little information about you…

Have you ever — or could you ever — experience one of these emotions?

When I teach cybersecurity awareness courses, I often put up a slide with this list of emotions that attackers might use to prompt you to respond without thinking:

Greed or desire to obtain more of something

Laziness

Ambition

Impatience

Curiosity

Fear of financial loss

Fear of lost productivity

Fear of disciplinary action

Curiosity and desire for knowledge

Fear of technology

Fear of embarrassing information exposure

Desperation from addictions, financial problems

Sympathy for others in difficult situations

Vanity and pride

Eagerness to help

Generosity

Courtesy and manners

Desire to resolve uncomfortable situations

These are just a few that I have been able to identify that attackers can readily use against you.

In particular, if attackers know any of your likes, dislikes, habits, ambitions, etc., they can craft email messages, phone inquiries or other types of fictitious situations (called pretexts) that you are unlikely to stop and question.

This gives attackers a much higher likelihood of succeeding in getting the information or access they are looking for to progress toward their ultimate objective, because you are likely to act on your emotions without thinking about the situation as anything other than what it appears to be.

A simple question to ask yourself…

The next time you’re responding to a request of any kind that causes you to take an important or unusual action, take a moment to just think about what emotions it is causing you to feel, and then ask yourself, “Could this be somebody trying to influence me using my emotional responses?”

This could help you avoid or prevent an unintended incident.

Security Tips

1 – Individuals and employees: Think about what the person approaching you is asking, and how it makes you feel. Is it something you would normally do, or are your emotions being hijacked?

2 – Managers: Make sure employees are aware of how attackers might try to approach them for certain types of information or access. Most people feel they are not targets because they don’t have information that they consider to be valuable. However, attackers often use people on the periphery, or in a “supply chain”, who are likely to be less protective of information.

It can be hard to teach people about emotional responses targeted by attackers. So, scenario-based training, gamified exercises and simulations are good ways to help people recognize the kinds of situations that may be high risks for your organization.

Please contact me if you think your organization would benefit from receiving training and exercises to help them learn about social engineering threats and defenses – either live or via Click Armor, our new “gamified eLearning” solution for improving engagement and knowledge retention of important cybersecurity concepts.